Add tests for xattr error handling in exec_binfmt

kaovilai · kaovilai · commit 42aefa681209 · 2025-07-17T11:26:30.000-05:00
Signed-off-by: Tiger Kaovilai &lt;passawit.kaovilai@gmail.com&gt;
diff --git a/solver/llbsolver/ops/exec_binfmt.go b/solver/llbsolver/ops/exec_binfmt.go
@@ -65,14 +65,7 @@ func (m *staticEmulatorMount) Mount() ([]mount.Mount, func() error, error) {
 	if err := copy.Copy(context.TODO(), filepath.Dir(m.path), filepath.Base(m.path), tmpdir, qemuMountName, func(ci *copy.CopyInfo) {
 		m := 0555
 		ci.Mode = &m
-	}, copy.WithChown(uid, gid), copy.WithXAttrErrorHandler(func(dst, src, xattrKey string, err error) error {
-		// Only ignore ENOTSUP errors specifically for security.selinux xattr
-		// This addresses the SELinux issue while being more targeted than ignoring all ENOTSUP errors
-		if errors.Is(err, syscall.ENOTSUP) && xattrKey == "security.selinux" {
-			return nil
-		}
-		return err
-	})); err != nil {
+	}, copy.WithChown(uid, gid), copy.WithXAttrErrorHandler(createSELinuxXAttrErrorHandler())); err != nil {
 		return nil, nil, err
 	}
 
@@ -131,3 +124,22 @@ func getEmulator(ctx context.Context, p *pb.Platform) (*emulator, error) {
 
 	return &emulator{path: fn}, nil
 }
+
+// createSELinuxXAttrErrorHandler creates an error handler for xattr copy operations
+// that specifically ignores ENOTSUP errors for security.selinux extended attributes.
+// This addresses SELinux compatibility issues where copying files to filesystems that
+// don't support SELinux xattrs (like tmpfs) would fail with ENOTSUP, preventing
+// qemu emulator setup on SELinux-enabled systems. Since the security.selinux xattr
+// is not critical for the emulator functionality, we safely ignore these errors
+// while preserving other xattr error handling.
+func createSELinuxXAttrErrorHandler() func(dst, src, xattrKey string, err error) error {
+	return func(dst, src, xattrKey string, err error) error {
+		// Ignore ENOTSUP errors specifically for security.selinux xattr
+		// This allows qemu emulator setup to succeed on SELinux systems
+		// when copying to filesystems that don't support SELinux xattrs
+		if errors.Is(err, syscall.ENOTSUP) && xattrKey == "security.selinux" {
+			return nil
+		}
+		return err
+	}
+}
diff --git a/solver/llbsolver/ops/exec_binfmt_test.go b/solver/llbsolver/ops/exec_binfmt_test.go
@@ -0,0 +1,93 @@
+package ops
+
+import (
+	"syscall"
+	"testing"
+
+	"github.com/pkg/errors"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBinfmtXAttrErrorHandler(t *testing.T) {
+	handler := createSELinuxXAttrErrorHandler()
+
+	tests := []struct {
+		name        string
+		dst         string
+		src         string
+		xattrKey    string
+		inputErr    error
+		expectErr   bool
+		description string
+	}{
+		{
+			name:        "ENOTSUP_security_selinux_ignored",
+			dst:         "/tmp/dest",
+			src:         "/tmp/src",
+			xattrKey:    "security.selinux",
+			inputErr:    syscall.ENOTSUP,
+			expectErr:   false,
+			description: "ENOTSUP error for security.selinux should be ignored",
+		},
+		{
+			name:        "ENOTSUP_other_xattr_propagated",
+			dst:         "/tmp/dest",
+			src:         "/tmp/src",
+			xattrKey:    "user.some_attr",
+			inputErr:    syscall.ENOTSUP,
+			expectErr:   true,
+			description: "ENOTSUP error for non-selinux xattr should propagate",
+		},
+		{
+			name:        "ENOTSUP_security_capability_propagated",
+			dst:         "/tmp/dest",
+			src:         "/tmp/src",
+			xattrKey:    "security.capability",
+			inputErr:    syscall.ENOTSUP,
+			expectErr:   true,
+			description: "ENOTSUP error for other security xattr should propagate",
+		},
+		{
+			name:        "other_error_security_selinux_propagated",
+			dst:         "/tmp/dest",
+			src:         "/tmp/src",
+			xattrKey:    "security.selinux",
+			inputErr:    syscall.EPERM,
+			expectErr:   true,
+			description: "Non-ENOTSUP errors should always propagate",
+		},
+		{
+			name:        "wrapped_ENOTSUP_error_handled",
+			dst:         "/tmp/dest",
+			src:         "/tmp/src",
+			xattrKey:    "security.selinux",
+			inputErr:    errors.Wrap(syscall.ENOTSUP, "wrapped error"),
+			expectErr:   false,
+			description: "Wrapped ENOTSUP errors should be handled with errors.Is",
+		},
+		{
+			name:        "nil_error_returns_nil",
+			dst:         "/tmp/dest",
+			src:         "/tmp/src",
+			xattrKey:    "security.selinux",
+			inputErr:    nil,
+			expectErr:   false,
+			description: "Nil error should return nil",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			result := handler(tt.dst, tt.src, tt.xattrKey, tt.inputErr)
+
+			if tt.expectErr {
+				require.Error(t, result, tt.description)
+				require.Equal(t, tt.inputErr, result, "Error should be propagated unchanged")
+			} else {
+				require.NoError(t, result, tt.description)
+			}
+		})
+	}
+}
